CVE-2018-1309
- EPSS 4.52%
- Veröffentlicht 23.05.2018 14:29:00
- Zuletzt bearbeitet 21.11.2024 03:59:35
Apache NiFi External XML Entity issue in SplitXML processor. Malicious XML content could cause information disclosure or remote code execution. The fix to disable external general entity parsing and disallow doctype declarations was applied on the Ap...
- EPSS 0.86%
- Veröffentlicht 25.01.2018 21:29:00
- Zuletzt bearbeitet 21.11.2024 03:15:02
Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack. The fix to properly handle Java deserialization was a...
CVE-2017-15697
- EPSS 4.83%
- Veröffentlicht 23.01.2018 22:29:00
- Zuletzt bearbeitet 21.11.2024 03:15:01
A malicious X-ProxyContextPath or X-Forwarded-Context header containing external resources or embedded code could cause remote code execution. The fix to properly handle these headers was applied on the Apache NiFi 1.5.0 release. Users running a prio...
CVE-2017-12632
- EPSS 2.85%
- Veröffentlicht 23.01.2018 22:29:00
- Zuletzt bearbeitet 21.11.2024 03:09:56
A malicious host header in an incoming HTTP request could cause NiFi to load resources from an external server. The fix to sanitize host headers and compare to a controlled whitelist was applied on the Apache NiFi 1.5.0 release. Users running a prior...
CVE-2017-5636
- EPSS 3.6%
- Veröffentlicht 19.10.2017 20:29:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions...
CVE-2017-5635
- EPSS 3.29%
- Veröffentlicht 19.10.2017 20:29:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, if an anonymous user request is replicated to another node, the originating node identity is used rather than the "anonymous" user.
CVE-2016-8748
- EPSS 1.76%
- Veröffentlicht 19.10.2017 20:29:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
In Apache NiFi before 1.0.1 and 1.1.x before 1.1.1, there is a cross-site scripting vulnerability in connection details dialog when accessed by an authorized user. The user supplied text was not being properly handled when added to the DOM.
CVE-2017-12623
- EPSS 1.94%
- Veröffentlicht 10.10.2017 18:29:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE) attack. The fix to properly handle XML External Entities was applied on the Apache NiFi 1.4.0 release. Users runni...
CVE-2017-7665
- EPSS 3.51%
- Veröffentlicht 12.06.2017 16:29:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
In Apache NiFi before 0.7.4 and 1.x before 1.3.0, there are certain user input components in the UI which had been guarding for some forms of XSS issues but were insufficient.
CVE-2017-7667
- EPSS 1.43%
- Veröffentlicht 12.06.2017 16:29:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
Apache NiFi before 0.7.4 and 1.x before 1.3.0 need to establish the response header telling browsers to only allow framing with the same origin.